How an IoT Botnet Could Breach the Power Grid and Cause Widespread Blackouts

The Internet of Things (IoT) poses a major threat to our national infrastructure. An IoT botnet comprised of high-wattage devices such as air conditioners, heaters and washing machines could enable cybercriminals to launch a large-scale, coordinated attack on the power grid.

This finding, which was part of a study presented by Princeton researchers at the 2018 USENIX Security Symposium in August, demonstrates that the more interconnected our world becomes for the sake of convenience, the larger the implications for security.

Introducing MadIoT, the Latest IoT Security Threat

The presentation showcased a new class of potential attacks called “manipulation of demand via IoT (MadIoT)” that can use botnets to manipulate the power demand in the grid and cause widespread local power outages, and even large-scale blackouts. The attacks target the demand side of the national grid instead of the supply side, which includes heavily protected assets such as power lines and plants.

“Power grid security standards are all based on the assumption that the power demand can be predicted reliably on an hourly and daily basis,” the researchers wrote in their report. “Power grid operators typically assume that power consumers collectively behave similarly to how they did in the past and under similar conditions.”

This is particularly concerning now that some individuals, companies and government agencies are using IoT applications to control these power-sucking appliances, many of which have poor security measures in place.

How an IoT Botnet Could Roil the Energy Sector

The researchers examined three categories of attack by running simulations on real-world power grid models. The simulations found that MadIoT attacks can lead to local power outages and, in the worst cases, large-scale blackouts. These attacks could also be used to increase the cost of operating the grid, which would benefit a few utilities in the electricity market.

Let’s take a closer look at how these three scenarios played out.

In the first scenario, using simulators on the small-scale power grid model of the Western System Coordinating Council (WSCC), the researchers found it would take 90,000 air conditioners and 18,000 electric water heaters to disrupt the power demand in a targeted geographical area.

In another scenario, the researchers discovered that even a “small increase in power demands may result in line overloads and failures.” Using a model of the Polish power grid from summer in 2008, the researchers revealed that an increase of only 1 percent in demand would lead to a cascading grid failure with 263 line failures and outages for 86 percent of customers. In this scenario, criminals would need access to “about 210,000 air conditioners, which is 1.5 percent of the total number of households in Poland.”

In the third scenario, the researchers demonstrated that a 5 percent increase in the power demand during peak hours by an adversary can result in a 20 percent increase in the power generation cost. This kind of attack would likely be used for financial gain rather than to damage infrastructure, the researchers noted.

The third scenario mirrors an incident that occurred in early 2018 when cryptocurrency miners drove up the cost of power in Plattsburgh, New York. Because the town is so close to Niagara Falls, electricity prices in the area are extremely low, which attracted power-hungry miners, since mining requires a massive amount of energy. But all that crypto mining led to a surge in demand, and the town was forced to purchase energy on the open market to keep up. Eventually, the town imposed an 18-month moratorium on cryptocurrency mining companies while it worked to resolve the issue.

The IoT Botnet Threat Is Very Real

Taking over and enslaving interconnected, high-wattage appliances such as air conditioners and refrigerators might seem far-fetched, but as the Mirai botnet first taught us in 2016, the potential for IoT botnets to wreak havoc is very real. Just as Mirai took advantage of insecure routers and webcams, so too could an industrious attacker who gains access to the high-wattage appliances we use every day in our homes — which are increasingly connected to the outside world for the sake of convenience.

“This work sheds light upon the interdependency between the vulnerability of the IoT and that of the other networks such as the power grid whose security requires attention from both the systems security and power engineering communities,” the researchers wrote.

The researchers also noted that they hope their work will help protect the grid against future threats associated with insecure IoT devices. Improved IoT security will become increasingly critical as more smart appliances hit the market.

It’s Up to IoT Vendors to Prioritize Security

According to Graham Cluley, the threat of MadIoT serves as yet another reminder that IoT device manufacturers need to do more to prioritize security, such as test their appliances for vulnerabilities and work to prevent potential future compromise.

Security has been a concern around the IoT since the first connected devices came to market. With that in mind, the IoT Security Foundation published free security guidelines to help manufacturers adopt secure development.

“[IoT device vendors] sell a product at a certain cost. But having to maintain it for the next 10 years is not something that enters their thinking,” said Paul Dorey, chairman of the IoT Security Foundation, in a recent Financial Times interview.

The bottom line is that both device makers and organizations deploying IoT technologies need to prioritize security as IoT devices proliferate. If they don’t, they could be putting entire neighborhoods — even entire countries — at risk of a blackout.